I am new to mobile development and much more new on hybrid apps and I have a doubt.

On client side web (angular for example) we are told that the client is not secure, anyone can change the code, etc etc.

What about Ionic in that regard?

I want to create an application (local, not communicating with any server) where I need a private state. What I thought is having a local login (more than login, just prompt a password if it is correct, let you in) and if you give correct credentials, you get it.

Since it is local, built-in into the application I have that question: Is that secure? I guess I can have my password inside the sandbox (sql, json but hashed…) but I am not sure if that is any secure. Yes, a root user can access the sandbox and read your stuff, but for that you need physical access to the phone.

I am not talking about top-notch security, just a way to hide some notes / photos / videos from anyone holding your phone (you need to input a password).

I am more concerned about being able to debug the app (chrome tools), remove some code / markup and getting in, but still, you need someone physically doing that and I think that production packages are not visible from remote debugging.

TL;DR Can you have some basic security, AKA private states in a local way? Just preventing wrong hands to see your stuff. If so, you like my idea or you have something better?

Any client side app can and probably will get decompiled if someone wants to enough. Doesn’t matter if it is Ionic, native Android, ect.

If you want to truly protect data you can implement AES encryption and decrypt with a password every time it needs to be accessed. This would mean the user types a password on every use and it gets cleared on close.

See the following post I did on AES. It is completely compatible with Ionic Framework:

I am developing an Ionic App that consume WebServices developed in Slim Framework. It’s working perfect but without security.

To apply security, my idea was:

I have a Login Page. If the username and password are correct, I generate a token JWT and I add in local storage. Later, when should to access to another API method I send the token in the Authorization Header. It’s working but it’snt sure because the token is visible.